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PRESIDENT AND CEO 


Privacy issues were center stage in 2013, like no other year in recent memory. The National Security 
Agency, data brokers, data breaches, mobile apps, cookies, and Do Not Track all repeatedly made 
headlines. Dictionary.com selected “privacy” as the word of the year and some wondered whether 
privacy exists at all in today’s increasingly interconnected digital world. 


At the same time, Network Advertising Initiative members and NAI’s compliance team invested 
enormous resources working to ensure that consumer choices are honored and data privacy 

is respected. NAI's Self-Regulatory Code of Conduct sets high standards for Interest-Based 
Advertising and related business models applicable to our third-party advertising members- 
standards that embody the Fair Information Practice Principles of notice, choice, transparency, use 
limitations, data security, access, and accountability. 


It's that last principle-accountability— that is at the heart of the NAI program and the focus of this 
report. Our high standards are backed by rigorous compliance and robust enforcement. Over a 
nine-month period, our compliance team proactively reviewed the business models and privacy 
practices of NAl member companies, a mandatory requirement for every NAl member company 
every year. The team analyzed data collection and use practices, opt-out mechanisms, disclosures 
in privacy policies, representations in marketing materials, retention schedules, and information 
from members about contract terms, and other practices. Our staff and members invested 
thousands of hours in this process. No other self-regulatory body in the advertising ecosystem 
has such a comprehensive compliance program, and as the CEO of the NAI, I’m proud of that. 


I'm even more proud of the results. As discussed in this report, our reviews found that members 
continue to take their compliance obligations seriously and overwhelmingly adhere to the 

NAI Code of Conduct. Even in the face of increasing uncertainty in the marketplace and new 
competitive challenges, NAl members met their obligations and demonstrated their commitment 
to consumer privacy and industry best practices. 


No doubt privacy will remain a top issue in 2014. The NAI and its members will embrace the 
challenges ahead and maintain our high standards, tackling emerging issues such as mobile 
advertising, new tracking technologies, and cross-platform marketing. | am proud that members 
take privacy seriously. | am also confident that when you read this compliance report, you will be 
impressed with our program and share my optimism. 


Yr I. CWA 


Marc Groman 
President and Chief Executive Officer, NAI 


EXECUTIVE 
SUMMARY 


The not-for-profit Network Advertising Initiative (NAI) is the leading self-regulatory trade 


association governing “third parties” engaged in digital advertising and related activities. 
The NAI Self-Regulatory Principles were first adopted in 2000. At the time, in its Report on 
Online Profiling, the Federal Trade Commission “unanimously applaud[ed]” the NAI for 


developing these groundbreaking self-regulatory principles. 
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Overall, the Code’s goal is to incentivize 


privacy by design and responsible data 


collection and use practices. 


The NAI updated the Self-Regulatory Principles, 
also referred to as the Code of Conduct (Code), 
in 2008 and again in 2013. The foundation of 
the Code has always been the Fair Information 
Practice Principles (FIPPs). The Code applies 
FIPPs to Interest-Based Advertising (IBA) and 
Ad Delivery and Reporting activities of member 
companies in the United States. 


Overall, the Code’s goal is to incentivize privacy 
by design and responsible data collection and 
use practices by NAl members. For example, 
under the Code, members must set and publicly 
post a retention schedule for the data collected 
and used for IBA (and related activities). In 
addition, the restrictions around the merger 

of Personally Identifiable Information (PII) with 
previously collected non-PIl for IBA purposes 
often lead members to implement administrative, 
technical and physical controls when building 
databases to prevent the accidental merger of 
such information. 


The NAI’s core principles are: 
e Transparency/Education 
Notice 
Choice/User Control 
Use Limitations 


Transfer Restrictions 
Access 

Reliable Sources 
Security 

Data Retention 
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“The compliance process helps us build-in privacy by design into our development 


process by having us take the Code into account when creating new services 


or products.” 


Angelique Okeke 
Senior Counsel, Lotame Solutions, Inc. 


Members are further required to provide consumers with transparency, notice and choice around their 


IBA practices. This includes providing links to privacy disclosures and consumer education materials. 
Further, the Code limits the use of data collected for IBA and restricts the transfer of such data to third 
parties. It also requires members to work with “reliable” data sources and to secure the data they 


collect for IBA. Finally, the Code establishes strong disincentives for the collection of PII and Sensitive 


Consumer Information. 


The Code must be backed by rigorous compliance and enforcement procedures for NAI's self-regulatory 
framework to be effective. Compliance, more fully discussed below, includes the following: 


Pre-certification Review: NAI staff conducts detailed evaluations of applicants’ business models to 
help confirm that their business practices are capable of meeting the requirements of the NAI Code, 
striving to ensure members’ compliance with the Code even before they join the NAI. 


Technical Monitoring Tool: The NAI conducts automated technical monitoring of members’ opt out. 


Investigation of Consumer Communications: The NAI investigates consumer communications 
alleging member non-compliance with the Code and works with members to address 
potential violations. 


Investigation of Allegations of Non-Compliance: The NAI evaluates allegations of non-compliance 
from other sources, such as regulators, competitors and privacy advocates. 


Annual Compliance Reviews: The NAI performs in-depth annual reviews to help ensure that 
members continue to comply with the Code - even as their business models evolve. 


Enforcement: NAI members are subject to formal sanctions for material non-compliance 
with the Code. 


Publication of the Annual Compliance Report: Through publication of this annual report, 
consumers, regulators and others gain visibility into the NAI’s compliance program and 
self-regulatory process. 
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Through the 2013 compliance processes, the NAI found that member companies are overwhelmingly 
meeting the requirements of the 2008 Code of Conduct: 


Transparency/Education: Members complied with Code obligations around educating consumers 
about their IBA activities by donating 2 billion impressions to the NAI educational campaign. 
Because of this effort, and other factors, 3,140,000 consumers visited the NAI education pages in 
2013. 


Notice: Members continued to provide consumer-facing notices about their data collection and 

use practices for IBA. First, members provided notice in their privacy disclosures on their own sites. 
Second, members worked to ensure that the digital properties or publishers with which they partner 
for IBA activities post notice and choice around these activities on the publisher's site — resulting 

in at least 278,481 publisher websites including a link to the NAI website. Member companies also 
provided notice and choice in or around advertisements trillions of times per month through the 
Digital Advertising Alliance's Icon, or other similar links. 


Choice: Members confirmed that they did not use any data that required Opt-In Consent (such as a 
social security number) from consumers for IBA. All NAI members participated in the NAI’s opt-out 
page and offered links to opt-out mechanisms from their own sites. Upwards of 3,920,000 consumers 
visited the NAI opt-out page in 2013. The NAI’s technical monitoring tool and manual checks of 
members’ opt-out mechanisms demonstrated that members provided and honored consumer 
choice with respect to the collection and use of data for IBA. Technical issues raised by NAI staff 
relating to downtime of a member's opt-out were resolved within 24 hours from the member's 

notice from NAI staff. 


Use Limitations: Members attested their compliance with Code limitations around the use of data 
collected for IBA purposes and the transfer of such data to third parties. For example, members 
affirmed that the data they collected through their IBA activities were used, or allowed to be 
used, for Marketing Purposes only. Members also confirmed that they did not merge PII data with 
previously collected non-PII for IBA purposes. 


Data Security & Retention: Members confirmed during the annual review that they retained the 
non-Pll data they collected in a secure manner and for a publicly posted retention time period. 


“In completing the compliance process, we demonstrate to regulators, business 


partners, and consumers that membership in the NAI is not a paper exercise or 


a mere promise to meet high standards - it’s a serious obligation.” 


Doug Miller 


Global Privacy Leader, AOL Inc. 


THE NAIS 
BACKGROUND 


Since 2000, the not-for-profit Network Advertising Initiative (NAI) has been the leading 


self-regulatory body governing “third parties” engaged in Interest-Based Advertising 
(IBA)' and Ad Delivery and Reporting (ADR)? in the United States.* Members include 

ad networks, exchanges, platforms,* data aggregators, creative optimization firms, 

yield optimization firms, sharing utilities and other technology providers. At the time 

of publication, the NAI has 97 members. These intermediaries play a pivotal role in the 
digital advertising ecosystem-linking advertisers and trusted brands with those consumers 
most likely to be interested in their products and services. This relevant advertising, in 


turn, helps power free content and services in the digital space. 


1 IBA is referred to as “Online Behavioral Advertising” in the 2008 Code of Conduct. It is defined as “any process used whereby 
data are collected across multiple web domains owned or operated by different entities to categorize likely consumer interest 
segments for use in advertising online.” (§ 11.1) 


2 The Code imposes requirements with respect to “Ad Delivery & Reporting” which is defined as “the logging of page views or the 
collection of other information about a browser for the purpose of delivering ads or providing advertising-related services.” Ad Delivery 
and Reporting (ADR) includes providing an advertisement based on a browser or time of day, statistical reporting, and tracking the 
number of ads served on a particular day to a particular website. (Code § II.3) 


3 The Code covers activities that occur in the United States. While the NAI encourages its members to apply the high standards of 
the Code to their activities globally, the NAI only evaluated US-based IBA and ADR activity for the purposes of this report. 


4 NAI membership spans across various platforms, including demand side platforms (DSPs), supply side platforms (SSPs), data 
management platforms (DMPs) and audience management platforms (AMPs). 


O————— eM 
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The NAI helps its members foster trust while serving 
consumers with relevant advertisements through a 
comprehensive self-regulatory program that includes 


a far-reaching Code of Conduct backed by robust 


compliance and enforcement. 


The NAI is motivated by members’ desire to 


maintain consumer trust while providing a relevant "NAI's comprehensive compliance review 


digital advertising experience. The NAI helps its : 
l . program — which not only occurs at the 

members foster trust while serving consumers with 

relevant advertisements through a comprehensive start of membership but comes with 

self-regulatory program that includes a far-reaching 


annual reviews bolstered by daily scans 
Code of Conduct backed by robust compliance 


for opt-out functionality - removes a 
and enforcement. 


tremendous amount of the heavy lifting 
This report provides a summary of the NAI staff's for Publishers.. We ask that all of our 


findings from the 2013 compliance program, 


applying the principles of the 2008 NAI Code 
(Code), which is the version of the Code in effect 
for the compliance period. Through publication 

of this report, consumers, regulators and others 
gain visibility into the NAI’s compliance program 
and self-regulatory process. In addition, this report 
helps illustrate how the compliance process shapes 
the evolution of the NAI's policies and procedures. 
That includes policies released over the past year, 
as well as goals for improving its compliance 
program in 2014. 


ad partners become NAI members, not 
only for their own benefit but also for 
ours as industry consistency allows for 
streamlined operations and greater 


consumer trust.” 


Shane Wiley 


VP, Privacy & Data Governance for Yahoo! 


5 The 2008 NAI Self-Regulatory Code of Conduct can be found at: http://www.networkadvertising.org/principles.pdf. Any 
references to provisions of the Code in this report refer to the 2008 Code of Conduct. 
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THE NAI 
COMPLIANCE 
PROGRAM 


The Code sets out principles around the responsible and transparent collection 


and use of information for digital advertising. NAI staff works with applicants to 
help bring them into compliance with the Code and helps confirm that existing 


members continue to comply with the Code. 
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NAI staff works with applicants to help bring them into 


compliance with the Code and helps confirm that existing 


members continue to comply with the Code. 


Compliance begins with the on-boarding process, 
whereby the NAI staff evaluates each applicant's 
business model and privacy practices. NAI staff also 
examines members’ data collection, use, retention, 
and sharing practices, as well as relevant disclosures 
and affirmations of contractual provisions. The NAI 
also reviews the applicant’s choice mechanisms to 
assess their consistency with the Code. 


All applicants work with the NAI team to help 
bring their relevant services and products into 
compliance. Through this review, staff highlights 
potential practices that need to be addressed 
for a company to become an NAI member. This 
assessment can be a months-long process, with the 
NAI providing guidance and suggestions about 
Code compliance at every step. Most applicants 
make substantial revisions to their public privacy 
notices and disclosures in order to provide the 
full level of notice required by the Code. In 


2013 NAI Board Members: 
Alan Chapell, BlueKai 

Alan Koslow, AudienceScience 
Andrew Pancer, Dstillery 
Brooks Dobbs, |-Behavior 
David Wainberg, AppNexus 
Douglas Miller, AOL Advertising 
Estelle Werth, Criteo 

Jason Bier, Conversant 
Matthew Haies, Xaxis 
Michael Benedek, Datonics 


Shane Wiley, Yahoo! Inc./Dapper 
Will DeVries, Google 
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many cases, staff provides technical guidance to the applicants to help them develop a fully functional 
opt-out mechanism that meets the Code’s requirements and is compatible with the industry-wide opt-out 
mechanism. In some cases, applicants have abandoned existing or planned lines of business to meet the 
Code’s requirements. 


Once the applicant's business model and privacy policy are reviewed, staff submits its recommendation for 
membership to the full NAI Board of Directors, which is comprised of seasoned attorneys and compliance 
executives from 12 leading companies. Board members review the application, often requesting additional 
information, before voting on accepting a new member. Thus, review by both the staff and the Board help 
confirm that any potential member has the administrative, operational and technical capabilities to comply 
with the Code before a company may claim membership in NAI. 


In 2013, eight companies® completed the pre-certification review process and were approved by the Board. 


MONITORING OF MEMBERS 
NAI Technical Monitoring Tool 


Once a company becomes a member of the NAI, 

the member — and, more importantly consumers 

— benefit from the NAI’s technical monitoring NAI MONITORING TOOL 
program. Under the Code, each member is 


required to provide and honor the consumers’ 


choice to disallow IBA data collection and use 
by a member on a particular browser.” The NAI 
technical monitoring tool uses automated Web > 


crawls to gather data related to the member's via Web crawler 


opt-out functionality and reliability. It analyzes the Weh Pages NAI Server 
crawl data for signs of potential issues and then 
reports the results of these analyses to NAI staff. 


Throughout 2013, NAI staff used these reports 

to identify and address potential problems with AN = 3 dy 
member opt-out mechanisms. These issues were @, > |= > 

the result of: (1) members adding or removing => 

domains used for IBA purposes, (2) incomplete Analytics Report Generated, Review by 

. i : ; Issues Flagged NAI Staff 
server migrations, and (3) potential bugs in new 
products and services. 


6 The following went through the pre-certification process and became NAI members in 2013: 


1. LiveRamp, 2. Media.net, 3. Krux Digital, 4. FlashTalking, 5. Innovid, 6. Vindico, 7. The Trade Desk, 8. Madison Logic 


7 The Code requires member companies to provide an opt-out mechanism, together with robust notice, for the use of PII to be 
merged with non-PII on a going-forward basis (prospective merger). Members are also required to obtain Opt-In Consent for the use 
of previously collected non-Pll to be merged with PII (retrospective merger). (§ III.3(a)(ii) - (iii).) As addressed below, no evaluated 
member companies currently use PII for IBA which requires Opt-In. As a result, this report addresses the provision and honoring of 
opt-out choices for the use of non-Pll for IBA only. 


In 2013, NAI reviewed 
1,191 consumer queries 
received through its 
website or via email and 
received approximately 
1,000 telephone calls 
from consumers. 


Working together, the NAI and members sought 
to assure that any potential downtime of an 
opt-out was as minimal as possible. In fact, nearly 
every issue that was identified using this tool was 
resolved within 24 hours of the NAI reaching out 
to the member.’ Further, none of these issues were 
deemed to constitute a material non-compliance 
matter because the underlying issue was resolved 
quickly and was found to be unintentional. Finally, 
most members experiencing technical problems 
went on to develop and provide additional 
technical and administrative checks to help prevent 
similar issues from reoccurring. 


Investigating Consumer Complaints 


The NAI provides a central site for consumers to ask questions and raise concerns about members’ 
compliance with the Code. (§ IV.2(a).) 


In 2013, the NAI received and reviewed 7,791 consumer queries through its website or via email. NAI staff 
determined that almost 30% of inquiries pertained to issues outside of the scope of the NAI’s mission. For 
example, the emails were spam,’ not a legitimate inquiry, or concerned specific questions about a publisher's 
site on which the NAI opt-out link appeared rather than a question about NAI member practices." 


Most of the remaining 70% of consumer inquiries related to requests for assistance in trouble-shooting opt 
out issues due to technical glitches outside the control of the NAI or its members. Mainly, questions were from 
consumers using browsers or anti-virus software that blocked third-party cookies, which would also prohibit 
opt-out cookies from being set on the consumer's browser. This would lead to a consumer seeing an opt-out 
failure. Other factors leading to an opt out issue outside of the NAI’s and members’ control included those 
around the consumer's corporate network security, telecommunications breakdowns, ISP or infrastructure 
anomalies and client-side technical glitches. NAI staff responded to the vast majority of these consumer 
questions with information to help resolve their concerns, and did so without member involvement. 


In seven cases, the NAI discovered from the consumer communication that an opt out was down and that the 
underlying issue was related to a temporary disabling of an entire domain. The NAI and the affected member 
responded to and addressed the underlying technical issue within 24 hours, which NAI staff deemed to be 
a “reasonable period of time." (§ IV.2(b).) Again, none of these issues were deemed to constitute a material 
non-compliance with the Code since the underlying issue was resolved quickly and found to be unintentional. 


8 In one case, NAI staff determined that a member had not added several new domains to its opt-out script. However, after further 
investigations and discussions with the member, NAI staff confirmed that the member had not started using those domains for IBA 
activities. In this case, staff provided the member with additional time to fix the opt-out script prior to engaging in any IBA use of those 
domains to help ensure that the member had conducted appropriate testing and quality control of the opt-out script. 


9 — The NAI noted a massive reduction in the number of emails it received in 2013 versus prior years due to technical steps taken to 
prevent the receipt of emails from spambots through its website. 

10 If members engaging in IBA or Multi-Site Advertising have an agreement with digital publishers, they are obligated to require 
those publishers, through contractual provisions, to provide a link to the NAI website on the publisher's site where they collect and use 
data for IBA purposes. (§ III.2(b).) This is discussed more fully below. 


Bn ( 


NAI staff also received approximately 1,000 telephone calls from consumers in 2013. None of the 
questions related to compliance with the Code. In the vast majority of cases, consumers were attempting 
to reach publishers on which the consumers found the NAI link in the mistaken belief that they were 
reaching the publisher." 


NAI staff determined that in 2013, consumer communication received by the NAI through email, phone 
or the website that were conducive to resolution had been resolved within a reasonable timeframe 

and were non-material. Therefore, no issue raised through a consumer communication was formally 
escalated to the NAI Board. 


Finally, during the 2013 annual review, NAI staff reviewed evaluated member companies’ sites and 
confirmed that they provided mechanisms on their own websites through which consumers could submit 
complaints or questions directly to the member as well. (§ IV.2(b).) 


INVESTIGATING OTHER COMPLAINTS 


During 2013, NAI staff investigated other instances of possible non-compliance with the Code 
discovered by staff, or brought to staff's attention by others, including by other NAI members. The full 
NAI compliance team, consisting of attorneys and technologists, investigated questions of purported 
non-compliance and found that alleged activities were not governed by the Code.’ Therefore, staff did 
not refer any of these instances to the Board for further review. 


11 Id. 


12 Investigations revealed that a) the purported activities involved a company that was not an NAI member or b) the complaint 
related to a member ostensibly using technologies, other than HTTP cookies, for activities that were not IBA or ADR related, and thus, 
were not compliance matters related to the Code. 
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ANNUAL REVIEW 


The annual review includes an in-depth analysis of 
the member companies’ business models, policies 
and practices to help confirm that they continue 
to comply with the Code, even as their individual 
businesses and the industry as a whole evolves. 
For the 2013 annual compliance review, NAI staff 
reviewed the 88 companies that were members 

as of January 1, 2013. These members will be 
referred to as “evaluated member companies” 
throughout the report. Those members that joined 
the NAI after January 1, 2013,'4 were subject to 
review during the calendar year as part of the 
pre-certification process, and were not re-assessed 
in the 2013 annual review process." 


Training 


The NAI kicked off the 2013 annual review with 

a training seminar designed to refresh newly 
evaluated member companies’ knowledge of the 
Code. During the seminar, NAI staff explained the 
key requirements of the Code, highlighted potential 
changes based on the forthcoming 2013 Code 

of Conduct"® (2013 Code) update, and answered 
questions about the compliance process in general. 
This presentation supplemented the general 
training that NAI staff provided its members on 
individual policy issues throughout the year. 


13 The following companies did not renew their NAI 
membership in 2013: Adconion, Dedicated Networks, EZTarget 
Media, and Akamai. Two companies, AdBrite and Pulse 360, 
ceased operations altogether. Additionally, the following members 
were absorbed by other member companies and ceased 
independent operations, and therefore were not evaluated during 
the 2013 annual review process: Interclick, Channel Intelligence, 
Admeld, Mindset Media and Invite Media. 


14 See supra, note 6. 


15 NAI staff makes every effort to review new member 
companies first, during the subsequent annual review, in order 
to minimize the time between a member's initial review during 
pre-certification and its first annual compliance review. 


16 = The 2013 Code of Conduct can be found at: 
http://www.networkadvertising.org/2013_Principles.pdf. In 2014, 
the NAI will help member companies ensure that their business 
and technological practices continue to conform with the 2013 
Code of Conduct, even as those practices evolve with the rapid 
and perpetual emergence of various digital innovations. 
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Evaluated Member Companies 


[x+1] 


24/7 Media (now 
Xaxis) 


33 Across 
Accuen 

Adap.tv 

Adara Media 
Adblade 
AddThis 

AdRoll 
Aggregate Knowledge 
AOL Advertising 
AppNexus 

Atlas Solutions 
AudienceScience 
Batanga Network 
Bazaarvoice 

Bizo 

BlueKai 


Break Media 
(now Defy Media) 


Brightroll 
Brilig 

Burst Media 
Buysight 
Casale Media 


Chango 


ChoiceStream 
Cognitive Match 
Collective Media 
Core Audience 

Cox Digital Solutions 
Criteo 

Cross Pixel 
DataLogix 

DataXu 

Datonics 

eXelate 

eyeReturn Marketing 


FetchBack 
(now eBay Enterprise) 


Glam Media 
Google 

|-Behavior 

IDG Tech Network 
IgnitionOne 
Intent Media 
Kontera 


Legolas Media 
LiveRail 

Lotame 

Magnetic 

Markit On Demand 
MaxPoint Interactive 


MediaéDegrees 
(now Dstillery) 


Media Innovation 
Group 


MediaForge 
MediaMath 


DG MediaMind 
(now Sizmek Inc.) 


Microsoft Advertising 
Mixpo 

MLN Advertising 
Netmining 

Netseer 


TARGUSinfo (now 
Neustar) 


OwnerlO. 
PointRoll 
Proclivity Media 
PubMatic 
PulsePoint 
RadiumOne 
RichRelevance 
Rocket Fuel 
The Rubicon Project 
ShareThis 
Specific Media 
SteelHouse 
TellApart 

Tribal Fusion 
Triggit 
TruEffect 
TubeMogul 
Tumri 

Turn 

Undertone 


ValueClick, Dotomi 
and Mediaplex (now 
Conversant) 


Vibrant Media 
Videology 
Yahoo! 

YuMe 

ZEDO 
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Written Questionnaire and Supporting Documentation 


Evaluated member companies submitted written responses to a detailed, newly expanded 2013 
compliance questionnaire. The questionnaire required evaluated member companies to describe 
their business practices and policies in juxtaposition to the obligations of the Code requirements. 
Where relevant, the questionnaire also requested that members provide supporting documentation. 
The questionnaire covered such issues as the collection and use of data for IBA purposes; policies 
governing those practices; contractual requirements imposed on business partners concerning 
notice and choice around IBA activities; other protections for data collected and used for IBA 
purposes, such as data retention schedules; and processes for oversight and enforcement of 
contractual requirements. 


While most evaluated member companies provided thorough answers to the questionnaire, NAI staff 
required some evaluated member companies to re-submit their questionnaires, in whole or in part, 
when responses were deemed to be materially inadequate or incomplete to be addressable during 
the compliance interviews. A minimum of two NAI staff members reviewed each evaluated member 
company’s submitted materials to assess compliance with the Code, including, as applicable: 

(1) representations of business practices as set forth in the evaluated member company’s public 

and non-public materials, including evaluated member company’s (a) public website, (b) privacy 
policy, (c) terms of service, (d) advertising contracts, and (e) marketing materials; and (2) responses 

to the extensive questionnaire. 


Interviews 


Following the review of questionnaire submissions and other supporting materials, at least two NAI 
staff members interviewed representatives from evaluated member companies. These interviews were 
primarily with high-level management and engineering staff. During these interviews, the compliance 
team reviewed Code requirements to help ensure that evaluated member companies were aware 

of their responsibilities as members. NAI staff discussed the evaluated member company’s business 
and policy issues covered in the questionnaires. NAI staff pressed for additional clarification on 

the calls in the event that questionnaire answers were incomplete, vague, or unclear. The NAI team 
also queried technical representatives about data flows, opt-out functionality, data retention, all 
technologies used for IBA on desktop and related purposes, and technical measures to prevent the 
use of PII’? for IBA purposes. 


These interviews helped provoke internal discussions around data collection and use within the 
evaluated member companies. The interviews also gave NAI staff additional in-depth insight into 
evaluated member company businesses and the industry in general. In turn, this further enhanced the 
NAI’s understanding of evolving business models and boosted the staff's existing knowledge about the 
industry, which enriches their ability to flag potential privacy issues, possible Code violations in general, 
and shape future versions of the NAI Code. 


17 See supra, note 10. 


18 As defined in the Code, Personally Identifiable Information includes “name, address, telephone number, email address, financial 
account number, government-issued identifier, and any other data used or intended to be used to identify, contact or precisely locate a 
person.” (Code § II.7) 
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During these interviews, NAI staff provided evaluated member companies with general guidance, 
reminders of certain new requirements of the 2013 NAI Code, and best practice suggestions. In 
most cases, the NAI provided recommendations on alternative language for privacy disclosures and 
encouraged evaluated member companies to minimize the amount of data they collect for IBA. Staff 
also provided extensive feedback to evaluated member companies to help them improve messaging 
around opt-out successes or failures due to browser level controls. For example, NAI recommended 
that evaluated member companies provide a clear, visual confirmation of a successful opt out or a 
corresponding error message if a consumer's browser prevented an opt-out cookie from being set. 


Attestations 


After the completion of the questionnaire and interview process, and as a final step in the annual 
compliance review, evaluated member companies were required to attest in writing to their ongoing 
compliance with the Code. They also had to attest to the veracity of the information provided in the 
review process, including any necessary amendments to the questionnaire. 


FINDINGS OF 2013 
ANNUAL REVIEW 


The Code requires the NAI to publish the results of its annual review. The following 


sets forth the findings of NAI staff with respect to the 2013 annual review. This 
section also more fully summarizes the obligations imposed by the Code, but does 
not restate all principles set forth in the Code. It should not be relied upon for that 
purpose. The full Code, including definitions of relevant terms, can be found through 


the links provided in this report. 
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Compliance is the heart of the NAI 


self-regulatory program. 


It is important for a self-regulatory program to educate 
consumers about its mission and underlying principles. 
In 2013, member companies continued to meet the 
obligation to both collectively’? and individually educate 
consumers about the NAI self-regulatory program. 


First, members maintained the centralized, consumer- 
friendly NAI education site. The NAI education pages 
provide consumers with a general understanding of 
the IBA activities of NAl members and the choices 
available to them. The site also provides a prominent 
opt out, offers a description of how data may be 
collected and used by NAI members, and presents a 
general description of IBA. 


Evaluated member companies also promoted the 
NAIS education pages through a digital advertising 
campaign, donating over 2 billion impressions to 
the campaign. During the same period, members 


3.14 million consumers visited 


the NAI education site in 2013. 


also donated impressions to the Digital Advertising 
Alliance's (DAA) educational campaign around IBA.” 
The DAA is an umbrella industry self-regulatory 
organization in which the NAI participates. Collectively, 
through these various efforts, evaluated member 
companies expended considerable effort and 
resources to educate consumers about IBA. 


Beyond maintaining a centralized consumer education 
page, the Code further encourages member 
companies to individually educate consumers about 
IBA and the choices available to them. (§ III.1(b).) 

Staff found that, overall, NAI members satisfied this 
requirement. For instance, some evaluated member 
companies provided consumer education content on 
their own websites, including digital videos on IBA. 


19 Under the transparency obligation in the Code, members are required to take on education efforts individually and collectively. 


Members can collectively educate consumers through the NAI website, which serves as a centralized portal for offering explanations of 
IBA and for providing consumers access choice mechanisms. Members also provide links to the NAI through their own websites where 
consumers can learn about the IBA. (§ IIl.1(b)) 


20 See http://www.networkadvertising.org/understanding-online-advertising. 


21 The DAA education site is hosted at http://www.youradchoices.com/. Similar to the NAI’s education page, the DAA's education page 
presents information about IBA and the DAA‘ “Advertising Option” icon, explaining how IBA works and the choices available to consumers. 
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NAI animated ad campaign 


THE RIGHT ADS 
MAKE THE INTERNET 


BETTER. 


Find Out How> 


NOTICE 


The Code requires members to provide notice 
to consumers about their IBA activities in two 
distinct locations. 


First, members must describe their data 
collection, transfer, and use for IBA related 
activities on their websites, along with a data 
retention statement. (§ III.2(a).) The notice must 
also provide a description of whether the member 
merges PII and non-PII for IBA, and how such 
data will be used. Further, the notice must include 
an easy procedure for exercising an appropriate 
choice mechanism. (§ III.2(a)(v).) 


During the annual review, NAI staff assessed the 
privacy policies and disclosures of evaluated 
member companies and confirmed that they 
substantially met Code requirements. Staff also 
reviewed these disclosures to help confirm that 
they corresponded with each evaluated member 
company’s current IBA practices. Throughout this 
process, staff found that evaluated members’ 
privacy policies had become increasingly easier 
to find and understand. For example, evaluated 
member companies had made simple changes 
such as making the font and color of the privacy 
policy link more prominent on their site, making it 
easier for consumers to find the link. 


Second, through contractual requirements, 
members helped ensure that the digital 
properties with which they partner for IBA 
activities post notice and choice around these 
activities. (§ III.2(b).) Based on answers to the 
NAI compliance questionnaire and a review of 
evaluated members companies’ sample partner 
contracts, the NAI found that evaluated member 
companies took this obligation seriously. 


In addition, NAl members continued to lead 
industry efforts to provide notice and choice to 
consumers in and around the ads delivered to 
them. Evaluated member companies served the 
DAA’s “Advertising Option Icon,” or provided a 


OR 


similar link, in or around online advertisements 
trillions of times per month. That icon or link 
provides just-in-time notice by NAl members to 
consumers, offering yet another means by which 
consumers can be informed of IBA activities of 
members and the choices available to them.” 


The DAA’s “Advertising 


Option Icon” 


Health Transparency 


Under the NAI’s health transparency policy,” 
members are required to publicly disclose 
standard segments used for IBA that are 

based on health-related information. The goal 
behind the policy is to allow consumers to 
make educated decisions about whether to 

opt out of the collection and use of certain 
health-related data for IBA purposes by member 
companies. The public disclosure is separate 
and distinct from the requisite Opt-In% Consent 
(see the next section) required under the 

Code for the collection and use of Sensitive 
Consumer Information. No other self-regulatory 
organization in the ecosystem for IBA has this 
requirement. 


Through the questionnaire, staff found that, 
overall, evaluated member companies complied 
with this policy in a variety of formats. Some 
disclosed all standard interest segments 
available to partners, whether or not the 


Nearly 278,481 websites 
included a link to the 
NAI website. 


segments were related to health topics, while 
others listed all health-related segments on 
pages linked from their privacy policies. 


NAI staff found that many evaluated member 
companies did not offer standard interest 
segments associated with health topics, and as 

a result, those members were not required to 
publicly disclose a list of all such segments.” 
However, some member companies offered 
customized, non-sensitive health segments 

(such as an exercise segment) created for 
individual campaigns. NAI staff encouraged those 
companies to publicly provide examples of such 
segments as a best practice in order to better 
educate the public about their activities. When 
applicable, staff also recommended that evaluated 
member companies publicly post a statement if 
they did not serve interest-based advertisements 
to consumers based on sensitive health-related 
interests. NAI staff will consider whether it can 
provide additional guidance to members that will 
enhance the consistency of these types of notices 
across its membership in 2014. 


22 Though enhanced notice is not a requirement of the current Code, the 2013 Code requires that members provide, and support 


the provision of, notice in or around Interest-Based Ads. 


23 See http://www.networkadvertising.org/blog/extra-dose-of-transparency-shedding-greater-light-use-of-health-related-data- 


online-advertising. 


24 Under the Code, Opt-In Consent means that “a consumer expressly consents to allow OBA, either in response to a clear and 
conspicuous request for such consent or at the consumer's own initiative, prior to engaging in OBA about the consumer. A consumer's 
Opt-In Consent requires some affirmative action on the consumer's part that manifests the intent to Opt-In.” (§ 11.4) 


25 Many evaluated member companies did not employ “standard” interest segments at all, but rather engaged only in practices 


such as retargeting, search retargeting, and custom segmentation. 
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CHOICE: OPT-OUT CONSENT 
Presence of Opt-Out Mechanisms 


NAI member companies are required to provide choice for the collection and use of data for IBA purposes. 
(§ Ill.2(a)(v).) They must also honor that choice. (§ IIl.3(a).) The level of choice required by the Code, Opt-In 
or opt out, depends on the intended use and type of data collected. (§ III.3(a).) With respect to the use of 
non-Pll for IBA, for example, member companies are required to provide and honor an opt-out mechanism 


in two discrete locations: on the NAI member's website and on 
the NAI consumer website. (§ III.3(a).) As discussed below, the 


Over the past five years, the NAI NAI confirmed with evaluated member companies that they do 


website had nearly 33 million 
visits, including 64 million page 


not currently collect and use PII for IBA. As a result, this report 
addresses the provision and honoring of opt-out choices for the 
use of non-PIl for IBA only. 


views. The opt-out page had over 


26 million page views. 


The NAI confirmed that evaluated member companies 
provided an opt-out mechanism both on their own website and 
on the NAI consumer website. Additionally, the NAI also found 
that an increasing number of evaluated member companies 


had made their opt-out disclosures even easier for consumers to locate on their websites through such 
efforts as providing a prominent “opt out” button at the top of their websites or links to their opt-out 


pages from the footer of every page on their websites. 


During the annual compliance training and interviews, NAI staff provided evaluated member companies 
with recommended best practices around providing a more-consumer friendly opt-out link on their 
company sites. Some sample opt-out link recommendations included: 


NAI staff manually examined the 


Making the opt-out link more obvious and easy to find (e.g., using a different colored font for the 
opt-out link and providing the link on the evaluated member company's homepage); 


Labeling the opt-out link appropriately to convey the importance, nature and relevance of the 


n; n "n, n 


information it leads to (e.g., “privacy”; “consumer information”; “opt out”); and 


Eliminating extra steps or links in the opt-out process and instead taking consumers directly to the 
opt out page or mechanism. 


Functioning of Opt-Out Mechanisms 


To help confirm that evaluated member companies were 
honoring consumer choice, NAI staff supplemented its 


life span, behavior, and content of automated opt-out testing% with a detailed questionnaire 
more than 500 IBA cookies of its about the functionalities of evaluated member companies’ 


opt-out mechanisms, and extensive manual testing during the 


evaluated member companies. annual review. The questionnaire required evaluated member 


companies to list the name, value, domain, and purpose of 
every cookie they continued to set following an opt out. 
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As detailed above, in 2013, the NAI increased its technical automated monitoring of member companies’ opt outs. The testing 


flagged potential issues with members’ opt-out mechanisms, including the inability to set an opt-out cookie. A more thorough 
discussion of the findings from the automated tool is set forth above. 
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Staff manually tested the opt out of each evaluated member company. Staff reviewed the behavior of 

the opt-out scripts, the lifespans of the opt-out cookies, names and values of all opt-out cookies and 

any potentially unique cookies that were used after an opt out. The manual testing, combined with 
questionnaire responses, indicated that evaluated member companies did not continue to collect data for 
IBA purposes where an opt-out cookie is present. In testing, NAI staff noted any cookies with potentially 
unique identifiers used by a member following an opt out. If a unique identifier was found, NAI staff 
inquired about the use of all such cookies. Staff confirmed with the evaluated member companies that the 
cookies were not used for IBA purposes. Of those evaluated member companies that continued to set 
cookies with unique identifiers after an opt out, all confirmed that such use was for non-IBA purposes only, 
such as for analytics, frequency capping, and attribution. Additionally, all evaluated member companies’ 
opt outs appeared to include functioning P3P information, increasing the likelihood of proper functionality 
across a wide range of browser settings. Staff also reviewed the messaging to consumers following 
successful and unsuccessful opt-out attempts. 


Evaluated member companies also affirmed in the questionnaire that their opt-out mechanism prevented 
the collection and use of data for IBA. In fact, many evaluated member companies reported that they 
ceased collecting all data following an opt out. Further, all evaluated member companies set opt-out 
cookies with a lifespan of at least five-years, as required by the NAI.” 


Based on the annual questionnaire answers, the NAI further found that evaluated member companies had 
sophisticated systems and policies in place in attempting to verify the effective operation of their opt-outs. For 
example, evaluated member companies conducted manual testing of their opt outs, had employed automated 
monitoring tools, conducted regression tests for any code changes on their servers and monitored consumer 
complaints about opt out functionality through their website. NAI staff reviewed the effectiveness of each 
member company’s monitoring program to maintain opt-out functionality, and where necessary, recommended 
improvements such as industry standard OA/unit/regression testing for any vital product or service. Staff further 
suggested that evaluated member companies conduct ongoing logging and monitoring of choice mechanisms. 


The manual testing, in conjunction with evaluated member companies’ responses to the compliance 
review questionnaire and their own checks around their opt outs, demonstrated that overwhelmingly 
opt-out mechanisms appeared to function as intended and that potential technical problems resulting in 
downtime of an opt out were quickly identified and rectified. 


Technologies Used for IBA 


The Code is intended to be technology-neutral” with respect to the technologies that can be used for 
IBA, though NAI members have historically used HTTP cookies for IBA. Member companies wishing 
to use any technologies for IBA must do so in compliance with the Code. This includes, at minimum, 
provision of requisite transparency, notice and choice requirements set forth in the Code. 


Again in 2013, the NAI found that all evaluated member companies used only HTTP cookies for IBA 
in the desktop space.” All evaluated member companies attested, through the questionnaire and 


27 See http://www.networkadvertising.org/faq/#n178. 
28 See footnote 3 of the 2008 Code. 


29 The Code and this NAI policy do not currently cover IBA activities on mobile devices or mobile companies. As a result, NAI 
staff's review and testing was limited to desktop devices. 
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interviews, that they did not use any technology other than standard HTTP cookies for IBA purposes in 
desktop browsers. Additionally, NAI staff evaluated data from its’ technical monitoring tool to look for 
any locally stored objects set by evaluated member companies, as well as for any evidence of a unique 
identifier in a targeting cookie “respawning” after such cookie is deleted.. The NAI's testing did not 
uncover any evidence of evaluated member companies using alternate technologies for IBA. 


OPT-IN CONSENT 


Under the Code, member companies are required to obtain Opt-In Consent for the use of “Sensitive 
Consumer Information” (§§ III.3(a)(iv), 11.8) and the merger of PII with previously collected non-PIl for 
IBA purposes. (§ III.3(a)(iii).) 


Once again, NAI staff found that evaluated member companies did not use Sensitive Consumer 
Information for IBA purposes. The NAI also found that evaluated member companies had a uniformly 
high awareness of the sensitivity of this data. Consequently, evaluated member companies had 
protections in place to ensure that Sensitive Consumer Information was not used for IBA. 


Similarly, as detailed below, evaluated member companies reported that they did not merge PII with 
non-PIl for IBA purposes. Accordingly, no evaluated member company sought to obtain Opt-In Consent 
under the Code. 


PERSONALLY IDENTIFIABLE INFORMATION (PII) 


The Code is designed to encourage data minimization by setting higher standards for the use of PII?! 
for IBA. The most notable of these incentives is the heightened notice and choice requirements that 
apply to the use of PII for IBA purposes. As a result of the disincentives imposed by the Code to use PII 
for IBA purposes, NAI staff found that evaluated member companies did not intentionally use PII for 
IBA purposes. 


Evaluated member companies, in fact, set up strong mechanisms to help ensure that they did 

not collect or receive PII for IBA purposes. First, they generally imposed contractual restrictions 
forbidding their data providers or partners from passing PII to them. They reinforced these contractual 
requirements through technical controls in the event that PII is passed to them inadvertently. Some 
evaluated member companies, for example, set up their platforms to not accept data with the “@” 
symbol. This would indicate that the data could include an email address, which is considered PII under 
the Code. Evaluated member companies generally designed their systems to ensure that any PII that is 
inadvertently collected is immediately discarded and is not stored or used for IBA purposes. 


30 Id. 


31 The Code also restricts member companies from collecting PII for IBA purposes in the absence of a contractual relationship with 
the other, partner companies (§ III.4(c)); provides that if a member changes its own privacy policy with regard to PII and merger with non- 
PII for IBA purposes, prior notice must be posted on the member's website, and any material change shall only apply to data collected 
following the change in policy (§ III.4(d)); specifies that if data is collected under a privacy policy that states that data would never be 
merged with PII, such data may not be later merged with PII in the absence of Opt-In Consent from the consumer (§ III.4(e)); requires 
members to contractually require any third parties to which they provide PII for IBA or Multi-Site Advertising to adhere to applicable 
provisions of the Code (§ III.5(a)); and requires members to provide consumers with reasonable access to PII and other information 
associated with that PII retained by the member for IBA or Multi-Site Advertising purposes. (§ III.6(a).) Multi-Site Advertising is defined 
under the Code as “Ad Delivery and Reporting across multiple web domains owned or operated by different entities.” (Code § 11.2) 
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CHILDREN 


Evaluated member companies were found to be in compliance with the Code requirement that requires 
verifiable parental consent for the use of non-Pll, such as unique identifiers stored in cookies, to create 
segments targeted at children under 13 years of age. (§ II|.4(a).) No evaluated member company was 
found to create segments specifically targeting children under 13. Evaluated member companies were 
highly aware of the sensitivity of data related to children, and had processes, policies and procedures in 
place to ensure that segments specifically targeted at children under 13 are not created or used.” 


MARKETING PURPOSES 
Evaluated member companies were also found Code restricts member companies 
to not use, or allow the use of, IBA data for any from using or allowing the use 
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h han for “Marketing P f 
a. of, data collected for IBA for 


any other purpose other than 
Marketing Purposes. 


As stated above, members may create and use 
health segments for IBA purposes, provided that 
they publicly disclose those segments per the health 
transparency policy obligations. It is essential to re- 
emphasize here that this principle prohibits members from using, or allowing the use of, these publicly 
disclosed health-related interest segments (or any segment at all) for any purpose other than Marketing 
Purposes.™ In other words, members are prohibited from using or allowing others to use any data they 
collect from IBA activities, including the health segment data that they are required to publicly post 
under the health transparency policy, for making eligibility decisions such as for health care, insurance, 
credit, or employment.* 


DATA RETENTION, SECURITY, AND TRANSFER RESTRICTIONS 


The Code imposes requirements designed to help ensure that data collected from IBA activities is adequately 
secured and is retained only so long as necessary. During the annual review, NAI staff confirmed through the 


questionnaire answers that evaluated member companies were in compliance with the Code requirement to 
retain data only as long as necessary for a legitimate business purpose. (§ IlI.9). Members were required to 
attest to the longest duration of IBA data storage on their servers. Independently, NAI staff manually examined 
the expiration dates of members’ cookies and posed additional questions when those cookies’ lifespans 
exceeded the stated retention period. Staff then confirmed that members’ privacy disclosures clearly and 


32 Member companies are, of course, expected to abide by the laws applicable to their businesses. In consideration of helping 
members keep up with changing laws, the NAI provided an education seminar to its member companies about the requirements of the 
Federal Trade Commission's updated Children’s Online Privacy Protection Act. 


33 Under the Code, Marketing Purposes includes “any activity undertaken to collect, aggregate, analyze, maintain, update, or 
sell information in order to tailor content or services that allows or induces consumers to take action to purchase, rent, or exchange 
products, property or services, to solicit a charitable donation, to utilize market research or market surveys, or to provide verification 
services to marketers.” (§ II.9.) Based on this narrow limitation on data usage, members may not use data collected for IBA or ADR 
for any other purpose, including to determine a consumer's employment eligibility, credit eligibility, health insurance eligibility and 
insurance eligibility and underwriting pricing. 


34 See (§ III.4(b).) 
35 Section II(D)(2) of the 2013 Code expressly prohibits the use of the data collected from IBA activities for eligibility purposes. 
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conspicuously explained these retention practices. 
In certain cases, NAI staff suggested methods for 
members to make such disclosures more thorough 
and accessible. During this process, NAI staff also 
encouraged members to further reduce their data 
retention periods, while highlighting the need for 
data minimization in general. 


Evaluated member companies also attested that 
they were in compliance with the obligation to secure 
data appropriately. (§ III.8). Additionally, evaluated 
member companies attested and explained in 
interviews, that they obtain data from reliable 
sources. (§ III.7). Evaluated member companies 
reported conducting appropriate due diligence on 
data sources to help ensure their reliability, including 
reviewing the potential partners’ business practices, 
particularly of those partners that were not members 
of the NAI. Other due diligence steps included 
reviews of potential partners’ privacy policies, data 
collection practices and choice mechanisms. 


Evaluated member companies were found to be 

in compliance with the obligation to contractually 
require any third parties to which they provide 
non-aggregate non-PIl, to be merged with PII data 
possessed by that third party for IBA or Multi-Site 
Advertising services, to adhere to the applicable 
provisions of the Code unless the non-PIl is itself 
proprietary to that third party. Additionally, a 
majority of evaluated member companies reported 
that they do not share any user-level data at all. 


Available sanctions include: 
e Temporary suspension of membership status for a fixed or indefinite term. 


e Permanent revocation of membership. 
e Publication of revocations by press release. 
e Referral to Federal Trade Commission or to state attorneys general. 


SANCTIONS 


A detailed compliance assessment process, 
coupled with strong sanctions, are essential 
components of the NAI self-regulatory program. 
Investigations and analysis of alleged violations 
and review of reports generated through the 
NAI automated technology tool are completed 
by NAI staff, which is composed of experienced 
attorneys and technologists. If NAI staff find 
during any of the compliance processes that a 
member company may have materially violated 
the Code, then they may refer the matter to the 
Board of Directors with a recommendation for 
sanctions.* If the NAI Board determines that 

a member has materially violated the Code, 
then the NAI may impose sanctions, including 
suspension or revocation of membership. 

The NAI may ultimately refer the matter to 

the Federal Trade Commission if a member 
company refuses to comply. The NAI may also 
publicly name a company in this compliance 
report, and/or elsewhere as needed, when NAI 
determines that the member engaged in a 
material violation of the Code. 


36 For further details about the NAI enforcement procedures, see http://www.networkadvertising.org/code-enforcement/ 


enforcement. 
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SUMMARY OF FINDINGS 


In 2013, NAI staff found that evaluated member companies were overwhelmingly in compliance with the 
Code. NAI staff also found that evaluated member companies were even more sophisticated in their 
understanding of the Code than in previous years due to the fact that, for many evaluated member 
companies, this was their fifth compliance review under the Code. 


Moreover, the 2013 annual review also demonstrated that evaluated member companies remain highly 
committed to the NAI's self-regulatory framework. As in prior years, representatives of the vast majority 
of evaluated member companies expressed commitment to, and a desire to learn from, the compliance 
process. They were eager for further guidance from the NAI on how to best align their business practices 
with the Code and industry best practices. Many evaluated member companies promptly implemented 
suggested changes in practices suggested by NAI staff during the annual review, even when not strictly 
required by the Code 


IMPROVEMENT & 
DEVELOPMENTS 
IN 2013 


Effective self-regulation must constantly evolve to reflect changes in the industry, 


technologies, and public policy. To this end, in its 2012 Annual Compliance Report, 
the NAI committed to: (1) update the Code, (2) adopt rules governing the collection 
and use of data through mobile applications and (3) develop guidance addressing the 


potential use of technologies other than standard HTTP cookies. 
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Effective self-regulation must constantly evolve to reflect 


changes in the industry, technologies, and public policy. 


On May 16, 2013, the NAI released the final 2013 Code of Conduct.” The 2013 Code consolidated 
several policy statements and imposed additional requirements on members. For example, the 
definition of “Sensitive Data,” which requires Opt-In Consent, was expanded to include sexual 
orientation.*? The expanded scope of the 2013 Code also offers the NAI and its members flexibility 
to accommodate existing and emerging business models and practices in the increasingly diverse 
third-party advertising ecosystem. 


The 2013 Code will be enforced by NAI staff as of January 2014. 


“When I read [the 2013 Code] the first time, it knocked me off my feet.”*° 


Pam Dixon 
Executive Director, World Privacy Forum 


37 See supra, note 16. 
38 See § |.(H) of the 2013 Code. 
39 = See § 1.(G) of the 2013 Code. 


40 See “Room 1 — Day 2” of the Computers, Freedom, and Privacy Conference at http://new.livestream.com/accounts/1409343/ 
events/2202468. 
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MOBILE APPLICATION CODE 


The NAI expanded the organization's self-regulatory program through its issuance of the NAI Mobile 
Application Code of Conduct in 2013.4 The Mobile Application Code, which is substantially similar to 
the 2013 Code, covers data collected across mobile applications, rather than desktop websites. It is 
specifically tailored for the rapidly evolving mobile advertising ecosystem. For example, it provides new 
guidance on how members can provide adequate notice and choice on small, mobile screens. It also 
provides requirements for the collection and use of precise location data and other types of personal 
data available in the mobile world, such as contact lists and photos. Consumers will benefit from 
enhanced transparency and control in the mobile world as they increasingly use tablets, smart phones, 
and other mobile devices to engage with brands, content, and digital services. 


The Mobile Application Code establishes recommended practices not yet fully integrated into the 
NAI compliance program. Therefore, this compliance report does not address compliance with the 
Mobile Application Code.* 


“The best self-regulatory programs are nimble, keeping pace with rapid changes in 
technology and business practices in ways legislation and regulation cannot. The NAI 
demonstrates this benefit of self-regulation, evolving to take into account changes in 
data collection and use practices, technologies, 

and public policy.”*" 


Maureen K. Ohlhausen 
Commissioner, Federal Trade Commission 


41 See http://www.ftc.gov/sites/default/files/documents/public_statements/remarks-commissioner-maureen-k. 
ohlhausen/130521naisummit.pdf. 


42 The Mobile Application Code is available at: http://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf. 


43 The NAI is currently accepting membership applications from mobile networks, exchanges, and other ad tech companies 
specializing in mobile advertising. It is also working with existing members to bring their mobile advertising services into compliance 
with the Mobile Application Code. New members will go through the standard pre-certification process to help confirm that they are 
in compliance with the Mobile Application Code prior to joining the NAI. Existing members engaged in IBA on mobile devices will 
work with NAI staff throughout 2014 to bring their operations into compliance with the Mobile Application Code, which is currently 
scheduled to go into effect in 2015. 
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GUIDELINES FOR NEW TECHNOLOGIES 


Though the NAI Code is “technology neutral,” any technology used by members for IBA must 
meet the requirements of the Code. As noted in this report, in 2013, in compliance with the 
Code, members confirmed during their annual review that they only used HTTP cookies for 
IBA activities on desktop browsers.” 


In 2013, to address various changes and challenges in the industry, the NAl convened a working group 
to develop guidelines to address the potential use of other technologies for IBA. The group is drafting 
guidance around the use of these technologies in a manner consistent with the 2013 Code. It is the 
NAI’s goal in 2014 to help those members that choose to adopt these technologies to use them in 
conformance with the NAI's strict requirements around transparency, notice, choice and accountability. 


2013 Initiatives: 
e New consumer education website launched. 


e Updated NAI Self-Regulatory Code of Conduct released after a notice and public comment period. 
e Sanctions and Enforcement Procedures updated, consolidated, and posted online. 
e Mobile Application Code released. 


44 See supra, note 29. 
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CONCLUSION 


Through this report, the NAI provides transparency into its various compliance efforts in 


reviewing member practices and helping to confirm that members observe the obligations 
of the Code. This report proves once again that the NAI has enhanced the overall health 
of the digital advertising industry through this rigorous process- from pre-certification 
reviews, to educational seminars, to technical monitoring, to questionnaire reviews and 
member interviews- is designed to detect potential Code violations as quickly as possible, 
and protects consumers by helping make sure its members follow the Code. Its staff also 


consults one-on-one with members throughout the year, providing guidance as needed. 
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While the NAI is pleased with its efforts to improve 


its self-regulatory program, and the hard work of its 


members to comply with the Code, the NAI constantly 
seeks to improve its program. 


During 2014, NAI will work to bring member companies’ practices into alignment with the 2013 Code 
of Conduct and the Mobile Application Code. The NAI will be updating its education page to more 
effectively inform consumers about IBA and Cross-App Advertising® in the mobile world. The NAI will 
also continue to further enhance its technical monitoring tool. 


The NAI's overall mission is to raise the bar for privacy as a whole, with NAI’s members leading by 
example, as the industry moves quickly toward the use of new technologies in the digital advertising 
space. It is the NAI's goal in 2014 to release final guidelines around use of these technologies and to 
guide its members and the industry in adapting and moving forward with these new technologies, 
including cross-device, with a privacy-centric approach. 


NAI staff looks forward to working with its members in 2014 to further develop best practices for the 
collection and use of data for IBA across the ever-growing digital world. 


45 As defined in § I(A) of the Mobile Application Code. 
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HIGHLIGHTS OF THE 2013 NAI COMPLIANCE PROGRAM FINDINGS: 


e NAI reviewed 88 companies during the 2013 annual review. 
e 6,400,000 consumers visited the NAI site in 2013. 


e In 2013, NAI still did not find any material noncompliance with the Code. 


Education: 
e Members donated 2 billion impressions to the NAI educational campaign. 


e 3,140,000 consumers visited the NAI education site in 2013. 


Notice: 
e Nearly 278,481 websites included a link to the NAI website. 


e NAI members delivered the “Advertising Option” Icon, or a similar Icon 
or link, trillions of times a month, to consumers. 


Choice: 
e 3,920,000 consumers visited the NAI opt-out page. 


e NAI monitoring tool helped spot opt out glitches, which were fixed within an 
average of 24 hours from the time the member received notice from the NAI. 


e NAI staff manually examined the lifespan, behavior, and content of over 
500 IBA cookies of its evaluated member companies. 


Consumer Communications: 


e NAI received and reviewed 7,791 consumer queries through its website or via email. 


e NAI staff also received approximately 1,000 telephone calls from consumers in 2013. 


Washington Office 


1620 Eye St. NW, Suite 210 
Washington, DC 20006 
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